India's Draft Rules for Protecting Privacy

India's approach to protecting privacy through draft rules includes selective dynamic controls, aiming for easier implementation and balancing business and regulatory needs.

Sectoral Requirements and Data Localisation

• The rules involve sector-specific requirements for data localisation.
• There is a focus on critical personal data, like health or finance, which faces less resistance regarding export control.
• Lesser restrictions are placed on less-sensitive information, facilitating digital commerce.

Regulatory Approach

• India's method aligns with a conservative regulatory approach that has been effective over time, avoiding radical changes.
• Data fiduciaries are categorized based on volume and sensitivity of data processed, allowing differentiated treatment.

Implementation and Security Measures

• The phased implementation aids entities in adopting necessary safeguards.
• Security measures include breach intimations and mitigation provisions to protect data integrity.
• Industry is expected to adapt more swiftly compared to government agencies.

Public Scrutiny and Government Carve-outs

• The draft rules aim to establish a framework governing official data collection and processing.
• Basic privacy protection involves declaring data collection purposes and managing consent.

Consent Management and Minors

• Rules regulate consent management through intermediaries to protect consumer interests.
• Parental consent rules for minors might set a precedent for other regions dealing with similar issues.

Stakeholder Engagement and Legal Updates

• Intensive stakeholder engagement led to the scrapping of a previous law and the introduction of a revised version.
• The new law awaits finalization of rules, expected with minor revisions.